Skillset

Popular Chinese Android Smartphones Discovered to Have a Built-In Backdoor

Chinese smartphone manufactures have long been under the suspicion that their products contain backdoors. Researchers from Palo Alto Networks found such vulnerabilities in China’s third-largest seller ‘Coolpad’, which puts over 10 million users worldwide at risk. This functionality is called “CoolReaper,” and it is “able to track users, push unwanted pop-up advertisements and install unauthorized apps onto users’ phones without their knowledge.” All specifications of CoolReaper Backdoor are presented in the following list:

Source: Built-In Backdoor Found in Popular Chinese Android Smartphones by Swati Khandelwal

The backdoor is pre-installed on various Coolpad Android handset models on sale exclusively in China and Taiwan.

This is not be the first time a phone manufacturer from China is rebuked for products that undermine security. The Star N9500 smartphone was found to have a pre-installed Trojan for spying on users. In another case, Xiaomi, a popular Chinese smartphone brand was under suspicion of stealing data from users’ devices without their permission and transferring it to a server located somewhere in Beijing. Lastly, the same security company from Palo Alto discovered the “WireLuker” malware as well. It targeted Chinese Mac and iOS users, having also the specific ability to penetrate non-jailbroken iOS devices.

A Controversial Chinese Policy on IT Backdoor and Encryption Keys. The Empire Strikes Back?

The New York Times reported that the Chinese government has enacted new regulations that demand companies selling computer equipment on the local market to important institutions, such as banks, to submit their secret source code, go through invasive audits and create hardware and software with built-in backdoors.

It is unclear whether these changes are dictated from a cybersecurity point of view or the reasons are others. One the one hand, what Edward Snowden disclosed about how the U.S. National Security Agency (NSA) conducted surveillance activities on Chinese networks could have been the igniter, but on the other hand, China could be trying to favour local businesses over their Western competitors – perhaps to a certain extent in response to the fact that the U.S. authorities have made it virtually impossible for the major Chinese tech corporation Huawei to sell devices on American soil, claiming that its servers and smartphones might contain “backdoors”. With respect to the latter point, we can witness a full-fledged “double agent” scheme of sorts, because Snowden made public the NSA’s effort to exploit Huawei’s systems for its own ends.

As already mentioned, the secret source code must be turned over to the Chinese officials, but most foreign companies would be reluctant to disclose it out of security, intellectual property, and other legal concerns. Western countries condemned these extreme rules, calling them protectionist. “I think they’re obviously targeting foreign vendors that are operating in China. They are promoting the local technologies […],” opines Matthew Cheung, a security researcher who works for the analytics firm Gartner. Consequently, these companies will be forced out of this rapidly growing market. According to the US Chamber of Commerce, however, this “discriminatory approach to cybersecurity […] would ultimately isolate Chinese ICT firms from the global marketplace and weaken cybersecurity, thereby harming China’s economic growth and development and restricting customer choice.”

The beginning of 2015 was marked by serious intentions, inter alia, regarding the possibility of installing a backdoor in all computer devices so that law enforcement agencies in some Western countries (U.K. and U.S. in particular) would be able to surveil potential criminals and terrorists. For that purpose, U.S.-based tech giants must allow the government to crack down on their encryption for some kinds of applications (e.g.,WhatsApp and Snapchat) in order for the latter to decipher communications of interest. Pointing the finger at Facebook for not doing enough to assist British security services to prevent the terror attack in London 2013, the U.K. Prime Minister David Cameron touts this approach as a supposed counterterrorism solution:

“In extremis, it has been possible to read someone’s letter, to listen to someone’s call, to listen in on mobile communications. The question remains: are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not.

The British spy agencies cannot tackle these challenges of terrorist use of digital services – without greater support from the private sector, including and not limited to the largest technology companies in the United States which dominate the web.“

On the other hand, in the wake of Snowden’s revelations, the U.S. government pledged to “support and not undermine efforts to create encryption standards” and “not in any way subvert, undermine, weaken or make vulnerable generally available commercial software.” The U.S. President defines himself as “a strong believer in strong encryption…. [who] lean[s] probably further on side of strong encryption than some in law enforcement.” Yet, he acknowledges that installing a backdoor in the mass-produced computer equipment might come as something necessary:

“Police and spies should not be locked out of encrypted smart phones and messaging apps. Social media and the internet is the primary way in which these terrorist organizations are communicating. That is not different from anybody else, but they are good at it. And when we have the ability to track that in a way that is legal, conforms to due process, rule of law and presents oversight, then that is a capability that we have to preserve.“\

Ongoing Strained Relations between Government and Tech Giants

Another outcome after what Snowden brought into daylight is the continuing tension between the U.S. government and Silicon Valley. Whether it would be recordings of intercepted traffic between Yahoo and Google servers or the agency’s employees setting up “beacons” in a Cisco Systems server, router, and other network components to eavesdrop on a targeted computer, the ex-NSA contractor proved with documents and photographs some of the agency’s dirty deeds.

The present situation is fact, however, also in part due to great efforts demonstrated by the administration to persuade IT companies not to embed impenetrable encryption in commercial devices, such as Google’s Android and Apple’s iPhone, and the government’s policy to stockpile “zero day” security flaws in software with the intention to use them as a weapon against future adversaries. One good example would be the fact that the FBI Director Comey called up on companies to rig out their devices with security flaws for government authorities to be able to enter and wiretap the data flowing through or stored on consumer devices.

Apple and Google announced they will apply Strong Encryption to their Devices

On the other side of the barricade is the IT community, which seems to vigorously attempt to show to the public that they are not to be swayed. Contrary to the constant political pressure, Apple and Google announced that they will tighten up the security of their devices with strong encryption. Wrongdoers will be unable to access sensitive files on the device (e.g., credit card details, emails, photos, social media accounts, medical records and so on) where there is encryption by default.

Secret backdoors in 600 million Apple devices?

But aren’t some of these companies just trying to pretend to be more Catholic than the Pope? Jonathan Zdziarski, a distinguished security researcher, claimed that around 600 million Apple devices include embedded hidden backdoors through which data can be surreptitiously exfiltrated. He further explains that “several undocumented forensic services are installed on every new iPhone and iPad, making it easier than ever for a third-party to pull data from those devices in order to compromise a target and take hold of their personal information, including pictures, text messages, voice recordings and more.” Programs named “file_relay” and “pcapd” are among those hidden functions residing in iOS devices. With the help of these programs, large amounts of data can be pulled from a targeted phone even in cases when the device is locked.

Despite these facts, Apple emphatically reaffirmed they have “never worked with any government agency from any country to create a backdoor in any of our products of services.”

II. Intelligence Agencies Have Their Own Ways of Access

1. Working with Those Willing to Co-operate

NSA Backdoor Used to Bypass Encryption of Verizon Subscribers

The journalist Karl Bode reports how a calling service offered by Verizon in 2014 comes with extra perks as a “NSA backdoor at no additional charge”. The U.S. telecom explains that law enforcement agencies will only have access so long as they can back up their acts with a sufficient legal justification. Prominent slogans from Verizon’s advertisement of this product are: “Security when it matters most” and “Trust the industry’s most secure voice communication for your phones and mobile devices.” Apparently, Verizon customers should lay their trust in an “end-to-end encryption” system that has a hole or two between its ends (not to mention other recent privacy controversies as the ‘perma-cookie‘ thing). Perhaps the whole story does not come as a surprise to more informed readers, given the allegedly tight relations between American telcos and NSA demonstrated in the past.

2. Paying “the 30 Pieces of Silver”

It was revealed in a publication by ThomsonReuters that NSA had purchased the crafting of a deliberate flaw in the encryption mechanism distributed by the tech company RSA for the sum of $10 million. The discredited cryptography system dubbed Dual Elliptic Curve represents a random number generator with a backdoor for NSA to come and go as they please.

Not long after the news emerged, university professors claimed finding a tool known as the “Extended Random” that can crack RSA’s Dual Elliptic Curve algorithm “tens of thousands of times faster”. Reportedly, “the NSA played a significant role in the origins of Extended Random.”

3. Playing God

BULLRUN is the codename of operation conducted by NSA (again disclosed by the “omnipresent” former agent in exile) in order to circumvent democratic mechanisms, such as Congress, courts, and public opinion standing in their way to decrypting valuable data. With a great variety of tactics ranging from infiltrating and coercing security firms to pre-install vulnerabilities in their products, the agency was determined to break the Gordian knot of formidable obstacles like Virtual Private Networks and Secure Sockets Layer.

A fresh example of this strategy adopted by NSA, among others, is:

Case Study: Gemalto Data Breach

An alleged joint operation between the American and British intelligence agencies, NSA and GCHQ respectively, against the world’s biggest SIM card manufacturer and distributor, Gemalto, led to a major theft of encryption keys used for privacy protection of smartphone communications all over the world, according to The Intercept and its informant Edward Snowden.

All SIM cards comes from the factory with a unique fabric encryption sequence burned in it, called “Ki”. A copy of each Ki is delivered to communications carriers so that they will be able to authenticate each device. When a device attempts to connect to a carrier’s network, the key of the SIM is compared to the one held by the mobile company (See Fig.1). The phone automatically executes a secret “handshake” that validates the match between both keys.

Fig.1

From that moment on, all data communications exchanged between the phone and the network become encrypted (See Fig.2). Compared to its predecessor – 2 G – the new mobile network standards 3G and 4G offer almost impenetrable encryption.

Fig.2

It seems that the weak spot is the permanent Kis on SIM cards. A solution to this problem can be a mass implementation of Perfect Forward Secrecy (PFS) to smart phones. Rather than using one encryption key over and over again until you change your SIM card, PFS generates a brand new key for a given period of time (it could be a minute or a day), with the old one being promptly deleted afterwards. Although presently used only in websites like Twitter and Google or built into modern web browser, PFS can surely bring in a new-generation secure encryption method to the mobile industry.

While this technological shift awaits around the corner, how consumers will protect themselves until then? Perhaps the only feasible way to thwart Ki theft-enabled surveillance is the usage of secure communication software based on Transport Layer Security (TLS) and HTTPS web protocol (e.g., most email services). In addition, apps like Silent Text and TextSecure offer better security than standard SMS, and RedPhone, Silent Phone and Signal can encrypt voice calls.

“Cryptography is typically bypassed, not penetrated,” stated Adi Shamir – instead of decrypting something very difficult to crack, secret agencies can have a merrier time if they simply sidestep somehow the encryption barrier. Fortunately for them, the SIM card manufacturing and distribution pipeline nowadays cannot withstand a severe targeted cyber attack by almighty government organizations. And as maintained by The Intercept, the combined efforts of American-British spies managed to open a secret outlet to Gemalto’s internal network through initial targeted cyber attacks against Gemalto employees and several telecom executives. All the action began from their Facebook accounts and email platforms. After that, “key individuals” within Gemalto were selected and their private accounts were hacked. A company employee in Thailand, who was dispatching encrypted files, is thought to be the first but not the single point of failure.

Gemalto admitted that there is evidence for a breach by a joint NSA and GCHQ task-force, but denied to have resulted in a theft of SIM card encryption keys. They also claim that the SIM encryption keys could not have been reached because the “intrusions only affected the outer parts of [their] network.” Gemalto also stated that a theft of this kind would be very improbable in practice because they possess “highly secure exchange processes” and a segregated network. Moreover, the advanced security of 3G and 4G communications would prevent snooping on users even if someone has acquired the SIM keys.

In the opinion of Forbes‘ journalist Fox-Brewster, there seems to be some inconsistencies with the asseveration made by Gemalto: First, they have managed to assemble all the pieces in a very short period of time. Presumably, a sophisticated, lasting cyber attack of clandestine nature performed by technically ingenious state agents would require a much longer in-depth investigation. However, Gemalto rushed into putting out the fire that has recently set the nerves of stakeholders, employees, telecoms, users and many other on edge.

Second, 3G and 4G connections are not completely hack-proof. One way to deceive them is jamming the traffic to force phones to switch to the outdated 2G standard, which is easily crackable. Plus, several others security researchers already doubt the security and robustness of 3G and 4G networks. With respect to the improved encryption standard called A5/3 within 3G networks, the crypto expert Professor Alan Woodward asserts for Forbes:

“[T]he implementation had practical limitations in that there was limited processing power on the handsets, which meant they would do things like repeatedly use code to speed up processing. This is great for cryptanalysts as you can inject data and look for repeating patterns to extract the keys – even with the 128 bit keys a PC can break them in a couple of hours.“

Pulling hacking stunts like the data heist against Gemalto can be really rewarding because it “allows bulk surveillance of telecoms without anyone getting caught,” adds Chris Soghoian, a principal technologist at the ACLU. Moreover, it would be particularly useful approach in countries where the local government is not willing to cooperate. Hence, by gaining the encryption keys, the NSA can pretty much go around all these unpleasant obstacles to directly lay hands on the treasure.

There is no doubt, however, that such surveillance violates international laws, as well as domestic legislation of countries where the hacked keys have been used. The staff attorney at the Electronic Frontier Foundation, Mark Rumold, ascertains that besides the legal implications there are other such: “[The stolen keys] have the functional equivalent of our house keys. That has serious implications for privacy not just here in the US but internationally.” After an NSA spying campaign against the German chancellor Angela Merkel and the president of Brazil accusing NSA of breaching international law, this event is expected to further complicate strained diplomatic relations between all the states involved.

In fact, the vice president of the security and privacy department in Google, Eric Grosse, sums up the situation very precisely: “The government is realizing they can’t just blow into town and let bygones be bygones. Our business depends on trust. If you lose it, it takes years to regain.” In the same spirit, Soghoian concluded: “There is no reason for people to trust AT&T, Verizon or anyone at this point. Their systems are hopelessly insecure.”

And the discussion on built-in backdoors is merely a fragment floating into the sea of uncertainty. When you look at the big picture, the events examined in this article illustrate that there is permanent, chronic distrust and tension at both political and economic level:

Between governments

Between governments and local or international institutions

Between governments and IT & communications sector

Between governments and citizens

Between IT & communications sector and citizens

While a situation of overall lack of trust bodes ill for everybody, the right conclusions should be drawn and proper changes should be made accordingly. It won’t happen overnight, of course, but now seems to be the right moment to be rebuild some burned bridges of mutual trust.

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

× 6 = 30

About InfoSec

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We provide the best certification and skills development training for IT and security professionals, as well as employee security awareness training and phishing simulations. Learn more at infosecinstitute.com.

Connect with us

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam